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METHOD AND APPARATUS FOR ACCELERATING CPE-BASED VPN 
TRANSMISSIONS OVER A WIRELESS NETWORK 

Field of the Invention 

5 The present invention generally relates to virtual private networks and more 

specifically to method and apparatus for accelerating customer premises equipment- 
based virtual private network transmissions over a wireless network. 

Background of the Invention 

10 It is well known that private computer networks are useful for communicating 

electronic data in a secure and reliable manner from one computer to another. As the 
name implies, a private network is a network that is not available for public use. One 
drawback to utilizing a private network is the excessive cost of such networks. This is 
because the owner of such networks must first build the network and then pay fees to 

15 maintain the associated circuits. These maintenance costs can be significantly greater 

than those associated with public data networks. Private data networks also suffer 
from limited availability in remote areas. 

It is also well known that public networks, such as the Internet, offer 
20 tremendously efficient means of organizing and communicating electronic data. Such 

public networks are beneficial in that their utilization costs are considerably less than 
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that for private data networks. Furthermore, the bandwidth associated with the 
Internet can often greatly exceed that available to private networks. The Internet, 
however, has several drawbacks, the most significant being that the Internet is public. 
As such any data that is transmitted over the Internet is available for public viewing. 

5 

Several attempts have been made to address these problems associated with 
public and private communication networks. One such attempt involves encrypting 
data prior to transmission over the Internet. Networks that utilize public networks to 
transmit encrypted data to computers or networks connected thereto are known as 
1 0 "virtual private networks" (VPNs) . 

A well known type of VPN is a customer premises equipment-based VPN 
(CPE- VPN). A CPE-VPN is a VPN wherein the majority of the communication 
equipment necessary for establishing the VPN is situated on the enterprise's premises. 

15 A schematic representation of such a CPE-VPN [100] is generally shown in Fig. 1. 

Referring to Fig. 1, the CPE- VPN depicted therein [100] includes two sub-networks 
interconnected via the public Internet [102]: an enterprise network [104], and a 
wireless network [108]. As will be apparent to one skilled in the art, an enterprise 
network is any privately owned computer network. Referring to enterprise network 

20 [104] one can see a variety of enterprise content servers [110] connected to a VPN 

switch [112]. It is these content servers [110] that store enterprise data for 
communication over the CPE- VPN. The purpose of the VPN switch [112] is to 
establish a secure communication tunnel [1 14] with VPN client [118] via the Internet 
[102] and wireless communications network [108], wherein the VPN client [1 18] is 
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any type of wireless communication device, 
server [120] within wireless network [108]. 
is described below in greater detail. 



Also depicted in Fig. 1 is an acceleration 
The role of the acceleration server [120] 



The prior art CPE-VPN described above has a number of drawbacks that limit 
its use for the secure transfer of electronic information. One of the major drawbacks 
is its inability to utilize various wireless communication performance optimization 
techniques including compression, protocol optimization, caching, and traffic 
management. Collectively the application of these techniques to a wireless signal can 
be referred to as signal "acceleration." As will be apparent to one skilled in the art, it 
is the acceleration server [120] that applies these acceleration algorithms to the signal 
to improve the performance of the data flow over the bandwidth limited wireless 
connection. 

The inability of a CPE-VPN to accelerate a wireless signal is best explained 
with reference to Figs. 2 and 3. Fig. 2 shows the Open System Interconnection (OSI) 
standard for worldwide communications [200] as is known in the art. The OSI 
standard is an ISO standard (International Organization for Standardization) 
specifying standards the seven layers of computer communications. The seven layers 
are: (i) the physical layer - for passing and receiving bits onto and from the 
connection medium [202]; (ii) data link layer - for ensuring node to node validity and 
integrity of the transmission [204]; (iii) network layer - for establishing the route 
between the sending and receiving nodes [206]; (iv) transport layer - for overall end 
to end validity and integrity of the transmission [208]; (v) session layer - for 
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providing coordination of the communications between the connected parties as 
marking significant parts of the transmitted data with checkpoints to allow for fast 
recovery in the event of a connection failure [210]; (vi) presentation layer - for 
negotiating and managing the way data is represented and encoded when data is 
5 transmitted between different computer types [212]; and (vii) application layer - for 

defining the language and syntax that the programs use to communicate with other 
programs [214]. 

Referring to Fig. 3, a network layer representation of an electronic message 
10 being communicated over the prior art CPE- VPN [100] of Fig. 1 is shown. Note, for 

sake of simplicity, the intermediate network depicted in Fig. 1 is not depicted in Fig. 
3. Starting from a content server [110] within enterprise network [104], an electronic 
message stating "HELLO" is sent towards a VPN acceleration client [118] that is 
connected to wireless network [108]. On route to wireless device [118] the message 
15 is encrypted by VPN switch [112] such that the message now reads "PZRZO" for 

transmission through tunnel [1 14]. As shown in Fig. 3, encryption of the electronic 
message occurs at network layer 3 (network layer) of the OSI standard. Electronic 
transmission which are encrypted before transmission are referred to as transmissions 
being made through a "secure tunnel" [114]. 

20 

As mentioned above, the major drawback of traditional CPE- VPNs is their 
inability to accelerate a secure tunnel transmission over the wireless network. The 
reason the CPE-VPNs cannot accelerate such secure tunnel transmissions because the 
aforementioned optimization performance techniques operate on the transport layer 
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and up (fourth layer) of the OSI standard, whereas the encryption occurs on the 
network layer (third layer). That is to say, the signal cannot be accelerated as it 
bypasses the acceleration server [120] in a lower layer encrypted tunnel. 

One prior art attempt to overcome this problem is to accelerate the electronic 
data prior to encryption in the VPN switch [112]. This solution, however, requires the 
wireless operator to sell an acceleration solution to each enterprise account that wants 
to have their remote/mobile employees' data accelerated. Furthermore, this solution 
results in higher start-up costs for the enterprise that owns the enterprise network, as 
this solution requires the purchase of an enterprise acceleration server. 

A need exists, therefore, for a method for securely accelerating CPE-based 
VPN transmissions over a wireless network. 

Summary of the Invention 

One aspect of the invention is defined as a method for securely accelerating 
customer premises equipment based virtual private network transmissions over a 
wireless network comprising the steps of: establishing an encrypted acceleration 
tunnel between a VPN acceleration client and a VPN acceleration server in response 
to a VPN acceleration client request for information wherein the encrypted 
acceleration tunnel terminates at a VPN acceleration server; securely transmitting the 
relevant VPN address and required data information to the VPN acceleration server 
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over the encrypted acceleration tunnel; establishing an encrypted VPN tunnel between 
the VPN acceleration server and an appropriate enterprise content server via a VPN 
switch, wherein the appropriate enterprise content server corresponds with the 
required data information transmitted; encrypting and transmitting required data 
5 corresponding to the required data information form the VPN switch to the VPN 

acceleration server over the VPN tunnel, wherein the required data is communicated 
from the appropriate enterprise content server to the VPN switch prior to encryption 
and transmission; decrypting the required data at the VPN acceleration server; 
accelerating, encrypting and transmitting the required data to the VPN acceleration 
10 client; and decrypting and decelerating the required data in response to the VPN 

acceleration client receiving the required data. 

The present invention advantageously provides virtual private network service 
to a wireless client, for which acceleration of data on the wireless network is 
provided. 

15 

Brief Description of the Drawings 

These and other features of the invention will become more apparent from the 
following description in which reference is made to the appended drawings in which: 

Fig. 1 presents a schematic representation of a customer premises equipment 
20 based virtual private network as is known in the art; 
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Fig. 2 presents a graphical representation of the Open System Interconnection 
(OSI) standard as is known in the art; 

Fig. 3 presents a network layer representation of a customer premises 
equipment based virtual private network transmission as is known in the art; 

5 Fig. 4 presents a schematic representation of a customer premises equipment 

based virtual private network in accordance with an embodiment of the present 
invention; and 

Fig. 5 presents a flow chart of a method for securely accelerating customer 
premises equipment based virtual private network transmissions over a carrier 
10 network in accordance with an embodiment of the present invention. 

Detailed Description of the Invention 

A schematic representation of a CPE- VPN in accordance with an embodiment 
of the present invention is shown in Fig. 4. As shown therein, the CPE-VPN [150] 
15 includes two subnetworks interconnected by the public Internet [102]. The two sub- 

networks include an enterprise network [104], and a wireless network [108 1 ]. 

Referring to enterprise network [104] one can see a VPN switch [112] 
interconnected to a plurality of Enterprise content servers [110]. A VPN switch [112] 
is a server on the enterprise network [104] that communicates with enterprise content 
20 servers [110] and a VPN acceleration server [160] on the wireless network [108] for 

purposes of establishing a secure communication channel therebetween. As will be 
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apparent to one skilled in the art the content servers [1 10] store the various enterprise 
related data to be communicated over the CPE- VPN [100]. 

Referring to wireless network [108 1 ] there is included a VPN acceleration 
server [160] and a transmitter/receiver [116] for transmitting and receiving wireless 
5 signals to and from a VPN acceleration client [1 1 8 1 ]. The VPN acceleration server 

[160] serves the function of accelerating signals for transmission over wireless 
network [108 1 ]. As noted earlier, the term accelerating refers to any technique for 
optimizing wireless signals including compression, protocol optimization, caching 
and traffic management. As will be apparent to one skilled in the art, VPN 
10 acceleration client [118 1 ] could be any form of wireless communication device 

capable of communicating with wireless network [108 1 ] including personal computers 
(PCs), personal digital assistants, pagers and cellular telephones to name a few. 

In operation, an encrypted acceleration tunnel [162] is established between the 
VPN acceleration server [160] and the VPN acceleration client [118 1 ] and a VPN 
15 tunnel [164] is established between the VPN acceleration server [160] and the VPN 

switch [112]. 

Referring now to Fig. 5 a method of securely accelerating CPE- VPN 
transmissions over a wireless network in accordance with an embodiment of the 
present invention is shown. 

20 The method begins at a step [500] wherein an encrypted acceleration tunnel 

[162] is established between a VPN acceleration client [1 18 1 ] and a VPN acceleration 
server [160] in response to a request for information from the VPN acceleration client 
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[1 18 1 ]. As will be apparent to one skilled in the art, a request for information from a 
VPN acceleration client [1 1 8 l ] could include any signal communicated from the VPN 
acceleration client [1 1 8 1 ] that notifies the VPN acceleration server [160] of an 
intention to securely communicate with enterprise content servers [110]. This 
5 encrypted acceleration tunnel [162] provides data encryption, but does not necessarily 

create a VPN tunnel. As an example, the use of public key infrastructure (PKI) 
technology could be used to encrypt the data. As will be apparent to one skilled in the 
art, PKI technology is a system of digital certificates, Certificate Authorities, and 
other registration authorities that verify and authenticate the validity of each party 

10 involved in an Internet transaction. As shown in Fig. 4 the encrypted acceleration 

tunnel extends from the VPN acceleration server [160] to VPN acceleration client 
[118 1 ]. The VPN acceleration client's VPN address and other required data 
information is then transmitted to the VPN acceleration server [160] over encrypted 
acceleration tunnel [162] in a step [502]. The required data information transmitted to 

15 the VPN acceleration server [160] may include the VPN switch [1 12] IP address, user 

name, and password, and other information that may be required to connect to the 
VPN switch. 

At a step 504 an encrypted VPN tunnel [164] is then established between the 
VPN acceleration server [160] and an appropriate VPN switch [1 12] providing access 
20 to an appropriate enterprise content server [110] by the wireless device. In the 

preferred embodiment of the invention the secure tunnel is an IPSec tunnel; however, 
an alternative such as Multiprotocol ProtocoPLabel Switching (MPLS) tunnels, Layer 
2 Tunnel Protocol (L2TP) could be used. The appropriateness of an enterprise 
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content server corresponds with the required data information transmitted by the VPN 
acceleration client [1 18 1 ] to VPN switch [112] via VPN acceleration server [160]. 

The next step in the methodology is step [506] wherein required data 
corresponding to the required data information is encrypted and transmitted from the 
5 VPN switch [112] to the VPN acceleration server [160] over the VPN tunnel [164] 

wherein the required data is communicated from the appropriate Enterprise content 
server to the VPN switch [112] prior to encryption and transmission. 

Next at step [508], the required data is decrypted, accelerated, encrypted and 
transmitted to the VPN acceleration client [1 IS 1 ] over the encrypted acceleration 
10 tunnel [162]. For an IPSec tunnel standard encryption and decryption are used. 

Finally, at a step [510] the required data is decrypted in response to the VPN 
acceleration client [ 1 1 8 ! ] receiving the required data. 

As one can see, the methodology of Fig. 5 changes the point of demarcation of 
where the VPN tunnel originates / terminates. According to the aforementioned 

15 preferred embodiment of the invention, the VPN tunnel [164] terminates on the 

enterprise side of the VPN acceleration server [160] in the wireless network [108 1 ], as 
opposed to traversing the wireless network [108 1 ] as in the prior art CPE-VPN of Fig. 
1. As a result of this arrangement, the CPE-VPN can utilize the various 
aforementioned wireless communication performance acceleration/optimization 

20 techniques while at the same time providing a level of security equivalent to 

traditional VPN tunnels. This is because the network layer utilized in the encrypted 
acceleration tunnel (layer 2) is the same as that utilized by the acceleration server. As 
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such, the methodology described above enables secure access to an enterprise network 
from devices traditionally not able to support full VPN communications and more 
efficiently transports encrypted data over wireless networks. As will be apparent to 
one skilled in the art, this solution can be applied to any Wireless technology 
including: global system for mobile communications (GSM); General Packet Radio 
Service (GPRS); Code-Division Multiple Access (CDMA); lxRtt and Universal 
Mobile Telecommunications System (UMTS). 

In addition to allowing the CPE- VPN to utilize the aforementioned wireless 
communication performance optimization techniques, the methodology described 
above with respect to Fig. 5 is further beneficial for the following reasons. Given that 
the VPN tunnel is only established over the Internet, and not over the Air Interface of 
the wireless network one can ensure VPN permanence as the problem of dropped 
VPN connections due to coverage issues, is avoided. 

From a Wireless Service Providers perspective, the aforementioned 
methodology is beneficial for the following reasons. First, the added feature of secure 
wireless connections with an enterprise network is a value-added offering to end-user 
corporate customers. Second, wireless providers do not need to sell acceleration 
servers to enterprise companies and instead can focus on selling wireless devices and 
services to end-uses, their traditionally preferred sales channel. Finally, as a result of 
an enterprise not requiring its own accelerator server to optimize the signal before 
transmission over a VPN tunnel, a Wireless service provider can provide this service 
at a reduced cost. 
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While particular embodiments of the present invention have been shown and 
described, it is clear that changes and modifications may be made to such 
embodiments without departing form the true scope of the invention. Thus, it is 
intended that the present invention cover the modifications and variations of this 
invention provided they come within the scope of the appended claims and their 
equivalents. 



